b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\nTHE OFFICE OF THE NATIONAL\n  COORDINATOR FOR HEALTH\n INFORMATION TECHNOLOGY\xe2\x80\x99S\n  OVERSIGHT OF THE TESTING\n    AND CERTIFICATION OF\nELECTRONIC HEALTH RECORDS\n\n\n\n   Inquiries about this report may be addressed to the Office of Public Affairs at\n                            Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                           Daniel R. Levinson\n                                           Inspector General\n\n                                              August 2014\n                                             A-06-11-00063\n\x0c                    Office of Inspector General\n                                     https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as\namended, is to protect the integrity of the Department of Health and Human Services (HHS)\nprograms, as well as the health and welfare of beneficiaries served by those programs. This\nstatutory mission is carried out through a nationwide network of audits, investigations, and\ninspections conducted by the following operating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting\naudits with its own audit resources or by overseeing audit work done by others. Audits examine\nthe performance of HHS programs and/or its grantees and contractors in carrying out their\nrespective responsibilities and are intended to provide independent assessments of HHS\nprograms and operations. These assessments help reduce waste, abuse, and mismanagement and\npromote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS,\nCongress, and the public with timely, useful, and reliable information on significant issues.\nThese evaluations focus on preventing fraud, waste, or abuse and promoting economy,\nefficiency, and effectiveness of departmental programs. To promote impact, OEI reports also\npresent practical recommendations for improving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of\nfraud and misconduct related to HHS programs, operations, and beneficiaries. With\ninvestigators working in all 50 States and the District of Columbia, OI utilizes its resources by\nactively coordinating with the Department of Justice and other Federal, State, and local law\nenforcement authorities. The investigative efforts of OI often lead to criminal convictions,\nadministrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG,\nrendering advice and opinions on HHS programs and operations and providing all legal support\nfor OIG\xe2\x80\x99s internal operations. OCIG represents OIG in all civil and administrative fraud and\nabuse cases involving HHS programs, including False Claims Act, program exclusion, and civil\nmonetary penalty cases. In connection with these cases, OCIG also negotiates and monitors\ncorporate integrity agreements. OCIG renders advisory opinions, issues compliance program\nguidance, publishes fraud alerts, and provides other guidance to the health care industry\nconcerning the anti-kickback statute and other OIG enforcement authorities.\n\x0c                                       EXECUTIVE SUMMARY\n\n The Office of the National Coordinator for Health Information Technology\xe2\x80\x99s oversight of\n the authorized testing and certification bodies did not fully ensure that electronic patient\n information in the currently available electronic health record applications was secure and\n protected.\n\nWHY WE DID THIS REVIEW\n\nTo improve the quality and value of American health care, the Federal Government promotes the\nuse of certified electronic health record (EHR) applications by health care professionals and\nhospitals (providers). As an incentive, the Federal Government is paying providers who attest to\nthe \xe2\x80\x9cmeaningful use\xe2\x80\x9d of EHRs. As of December 2013, the Centers for Medicare & Medicaid\nServices had paid more than $19 billion in incentive payments to more than 340,000 providers\nwho have attested to using EHRs. To receive incentive payments, providers must use EHRs that\nhave been certified by an authorized testing and certification body (ATCB) in accordance with\nFederal security standards. The U.S. Department of Health and Human Services (HHS), Office\nof the National Coordinator for Health Information Technology (ONC), oversees the testing and\ncertification process for EHRs. Together with ONC and with ONC\xe2\x80\x99s approval, the National\nInstitute of Standards and Technology (NIST) developed test procedures for the ATCBs to use\nwhen determining whether EHRs met the Federal security standards.\n\nCertification assures health care providers that the EHR has the capabilities needed, including\nappropriate record security and protection, for providers to participate in the Medicare and\nMedicaid EHR Incentive Programs. If insecure systems have been certified by an ATCB,\nproviders and patients may have a false sense of security and assurance. We have identified risks\nrelated to ATCBs\xe2\x80\x99 certifying EHRs with inadequate security and privacy controls and for which\nhealth care providers have received incentive payments. As of August 30, 2013, 3,590 certified\nEHRs were available to health care providers, 95 percent of which were certified by ATCBs\nunder the Temporary Certification Program for Health Information Technology (Temporary\nProgram).\n\nThe objectives of this review were to assess whether (1) ONC\xe2\x80\x99s oversight of ATCBs ensured that\nelectronic patient information was secure and protected, (2) the ATCBs\xe2\x80\x99 standards and\nprocedures for testing and certifying EHRs met NIST test procedure requirements, and (3) NIST\ntest procedures were sufficient to secure and protect electronic patient information.\n\nBACKGROUND\n\nOn June 24, 2010, HHS established the Temporary Program for health information technology to\ntest and certify EHRs using the temporary program\xe2\x80\x99s criteria. Once tested and certified, EHRs\nmeet the definition of Certified EHR Technology and may be used by providers to help them\nqualify for incentive payments under the Medicare and Medicaid EHR Incentive Programs.\n\nFederal regulations outline security standards to which the ATCBs must adhere when testing and\ncertifying EHRs. At a minimum, all certified EHRs must meet security requirements related to\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   i\n\x0cseven information technology areas: access control, emergency access, automatic log-off, audit\nlog, integrity, authentication, and general encryption.\n\nWHAT WE FOUND\n\nONC\xe2\x80\x99s oversight of the ATCBs did not fully ensure that test procedures and standards could\nadequately secure and protect electronic patient information contained in EHRs. Specifically,\nONC did not ensure that the ATCBs:\n\n    \xe2\x80\xa2   developed procedures to periodically evaluate whether certified EHRs continued to meet\n        Federal standards and\n\n    \xe2\x80\xa2   developed a training program to ensure that their personnel were competent to test and\n        certify EHRs and to secure proprietary or sensitive EHR information.\n\nThe ATCBs\xe2\x80\x99 standards and procedures for testing and certifying EHRs met all NIST test\nprocedure requirements that ONC approved. However, those NIST test procedures were not\nsufficient to ensure that EHRs would adequately secure and protect patient health information; in\nparticular, the procedures allowed ATCBs to certify EHRs that demonstrated the use of a single-\ncharacter password during testing. In addition, the NIST test procedures did not address\ncommon security issues, such as, but not limited to, password complexity and/or logging\nemergency access or user privilege changes.\n\nWHAT WE RECOMMEND\n\nTo ensure that each patient\xe2\x80\x99s health information in EHRs is secure and protected, we recommend\nthat ONC require the ATCBs to:\n\n    \xe2\x80\xa2   develop procedures to periodically evaluate whether certified EHRs continue to meet\n        Federal standards and\n\n    \xe2\x80\xa2   develop a training program to ensure that their personnel are competent to test and certify\n        EHRs and to secure proprietary or sensitive EHR information.\n\nWe also recommend that ONC work with NIST to strengthen EHR test procedure requirements\nso that ATCBs can ensure during testing that EHR vendors incorporate a baseline set of security\nand privacy features into the development of EHRs to address common security issues.\n\nONC COMMENTS AND OUR RESPONSE\n\nIn written comments on our draft report, ONC stated that ATCBs are no longer active in the\nONC Certification Program and that testing and certification functions are now performed by\nseparate entities in the ONC Health Information Technology Certification Program. ONC also\nstated that it currently is using new certification criteria, the 2014 Edition EHR Certification\nCriteria, that have \xe2\x80\x9cstrengthened test procedures for common security and privacy features for\ninclusion in EHRs.\xe2\x80\x9d\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)      ii\n\x0cWe do not agree that the 2014 Edition EHR Certification Criteria sufficiently address our\nsecurity concerns regarding the Temporary Program.\n\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   iii\n\x0c                                                    TABLE OF CONTENTS\n\nINTRODUCTION ...........................................................................................................................1\n\n           Why We Did This Review ...................................................................................................1\n\n           Objectives ............................................................................................................................1\n\n           Background ..........................................................................................................................1\n                 Health Information Technology for Economic and Clinical Health Act .................1\n                 Temporary Certification Program for Health Information Technology ..................2\n\n           How We Conducted This Review........................................................................................3\n\nFINDINGS .......................................................................................................................................3\n\n           ONC\xe2\x80\x99s Oversight of Authorized Testing and Certification Bodies\n            Needs Improvement ..........................................................................................................4\n                 Insufficient Procedures for Periodic Evaluation of Electronic Health Record\n                   Applications ..........................................................................................................4\n                 Insufficient Training Program Specifically Related to Electronic Health\n                   Record Test Procedures and Security of Records .................................................5\n\n           Authorized Testing and Certification Body Standards Met Requirements but National\n            Institute of Standards and Technology Test Procedures Needed Strengthening ..............6\n                  Standards and Procedures of Authorized Testing and Certification Bodies\n                    Met Requirements .................................................................................................6\n                  Test Procedures Need Strengthening .......................................................................6\n\n           Conclusion ...........................................................................................................................6\n\nRECOMMENDATIONS .................................................................................................................7\n\nONC COMMENTS .........................................................................................................................7\n\nOFFICE OF INSPECTOR GENERAL RESPONSE ......................................................................7\n\nOTHER MATTERS.........................................................................................................................8\n\nAPPENDIXES\n\n           A: FEDERAL AND INTERNATIONAL REQUIREMENTS ON THE TESTING\n              AND CERTIFICATION OF ELECTRONIC HEALTH RECORDS ...........................9\n\n           B: AUDIT SCOPE AND METHODOLOGY ..................................................................11\n\n           C: ONC COMMENTS......................................................................................................12\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                                                   iv\n\x0c                                               INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nTo improve the quality and value of American health care, the Federal Government promotes the\nuse of certified electronic health record (EHR) applications by health care professionals and\nhospitals (providers). The Medicare and Medicaid EHR Incentive Programs provide financial\nincentives for the meaningful use of certified EHR technology. To demonstrate meaningful use,\nproviders must meet certain measurement thresholds that range from recording patient\ninformation as structured data to exchanging summary care information. EHR incentive\nprograms include three stages with increasing requirements for participation. 1 As of December\n2013, the Centers for Medicare & Medicaid Services had paid more than $19 billion in incentive\npayments to more than 340,000 providers who have attested to using EHRs. To receive\nincentive payments, providers must use EHRs that have been certified by an authorized testing\nand certification body (ATCB) in accordance with Federal security standards.\n\nThe U.S. Department of Health and Human Services (HHS), Office of the National Coordinator\nfor Health Information Technology (ONC), oversees the testing and certification process for\nEHRs. Certifying EHRs that have inadequate security may increase the risk for unauthorized\nindividuals to gain access to patient health information or to submit improper claims. We have\nidentified risks that are related to ATCB certification of EHRs with inadequate security and\nprivacy controls and for which health care providers have received incentive payments. As of\nAugust 30, 2013, 3,590 certified EHRs were available to health care providers, 95 percent of\nwhich were certified by ATCBs under the Temporary Certification Program for Health\nInformation Technology (Temporary Program).\n\nOBJECTIVES\n\nOur objectives were to assess whether (1) ONC\xe2\x80\x99s oversight of ATCBs ensured that electronic\npatient information was secure and protected, (2) the ATCBs\xe2\x80\x99 standards and procedures for\ntesting and certifying EHRs met National Institute of Standards and Technology (NIST) test\nprocedure requirements, and (3) NIST test procedures were sufficient to secure and protect\nelectronic patient information.\n\nBACKGROUND\n\nHealth Information Technology for Economic and Clinical Health Act\n\nOn February 17, 2009, the President signed the American Recovery and Reinvestment Act of\n2009 (Recovery Act), P.L. No. 111-5. Title XIII of Division A and Title IV of Division B of the\nRecovery Act are cited together as the Health Information Technology for Economic and\nClinical Health Act (HITECH Act). The HITECH Act established ONC, an entity within the\n\n1\n  To meaningfully use certified EHRs, providers must use numerous EHR functions defined in Federal regulations,\nincluding functions meant to improve health care quality and efficiency, such as computerized provider order entry,\nelectronic prescribing, and the exchange of key clinical information.\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                         1\n\x0cOffice of the Secretary for HHS, as the principal Federal entity responsible for coordinating the\neffort to implement a nationwide health information technology (health IT) infrastructure that\nallows for the use and exchange of health information in an electronic format that protects\npatient information from unauthorized access. The HITECH Act includes provisions to promote\nthe meaningful use of health IT and authorizes incentive payments to providers.\n\nTemporary Certification Program for Health Information Technology\n\nSection 3001(c)(5) of the Public Health Service Act (PHSA) (as amended by the HITECH Act)\nrequires the National Coordinator to establish a program to certify that EHR technology\ncomplies with the certification criteria adopted by the Secretary of HHS in the Standards and\nCertification Criteria Final Rule (Final Rule). The Temporary Certification Program was in\neffect from June 24, 2010, to October 4, 2012. The Permanent Certification Program (Permanent\nProgram) came into effect after the sunsetting of the Temporary Program. 2 These programs\ngovern the authorization and operations of bodies that certify EHRs in accordance with ONC\ncertification criteria. 3\n\nIn addition, ONC promulgated its 2011 and 2014 Edition EHR Certification Criteria, to which\nATCBs are to certify EHRs. 4 The Temporary and Permanent Certification Programs require\nATCBs to abide by the principles of proper conduct. ONC obtained a signed formal agreement,\nAgreement to Adhere to the Principles of Proper Conduct for ONC-ATCBs (Principles of Proper\nConduct), from six ATCBs authorized under its certification programs: The Certification\nCommission for Health Information Technology, Drummond Group, SLIGlobal, ICSA Labs,\nInfoGard, and SureScripts.\n\nThe Principles of Proper Conduct required the ATCBs to, among other things, operate (1) a\ncertification program in accordance with the International Organization for Standardization and\nInternational Electrotechnical Commission (ISO/IEC) Guide 65:1996, General requirements for\nbodies operating product certification systems, and (2) a testing program in accordance with\nISO/IEC 17025:2005, General requirements for the competence of testing and calibration\nlaboratories. 5 The Principles of Proper Conduct also require ATCBs to use test procedures\napproved by ONC.\n\nIn addition, ATCBs test EHRs and certify that they meet the certification criteria at 45 CFR\npart 170, subpart C, which include several security standards (45 CFR \xc2\xa7\xc2\xa7 170.302(o)\xe2\x80\x93(u)). To\nbe certified, an EHR must, at a minimum, meet security standards related to the following:\n\n2\n    75 Fed. Reg. 36158 (June 24, 2010) and 76 Fed. Reg. 1262 (January 7, 2011).\n3\n Five of the six ATCBs in the Temporary Program have been approved to test and certify EHRs under the\nPermanent Program, and EHRs certified during the Temporary Program are valid in the Permanent Program.\nHowever, starting in 2014, providers and hospitals must use EHRs that are certified under the 2014 Edition EHR\nCertification Criteria to achieve meaningful use. See 45 CFR \xc2\xa7 170.102 Nt. (2012).\n4\n    75 Fed. Reg. 44590 (July 28, 2010) and 77 Fed. Reg. 54163 (Sept. 4, 2012).\n5\n    ISO and IEC develop international standards through technical committees established by the organizations.\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                    2\n\x0caccess control, emergency access, automatic log-off, audit log, integrity, authentication, and\ngeneral encryption. Together with ONC and with ONC\xe2\x80\x99s approval, NIST developed test\nprocedures for the ATCBs to use when determining whether EHRs met the Federal security\nstandards.\n\nAfter an EHR is tested and certified, the ATCB informs ONC, which lists the EHR on its\nCertified Health IT Product List (Product List). Eligible providers may then qualify for incentive\npayments under the Medicare and Medicaid EHR Incentive Programs by using an EHR on the\nProduct List. Certification assures health care providers that the EHR has the capabilities\nneeded, including appropriate record security and protection, for providers to participate in the\nMedicare and Medicaid EHR Incentive Programs.\n\nAs of August 30, 2013, 3,590 certified EHRs were listed on the Product List. Under the\nTemporary Program, 3,403 EHRs (95 percent) were certified; the remaining 187 were certified\nunder the Permanent Program. EHRs certified under the Temporary Program are still available\nto health care providers.\n\nAppendix A contains more details about Federal and international requirements related to the\nTemporary Program.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe focused our audit on ONC\xe2\x80\x99s procedures for oversight of the ATCBs. We also assessed the\nATCBs\xe2\x80\x99 procedures for testing EHRs and certifying that EHRs meet certain Federal\nrequirements and NIST Special Publications (SP). We judgmentally selected 30 EHRs and\nreviewed their ATCBs\xe2\x80\x99 testing documentation. We also reviewed certain ISO/IEC security\nrequirements related to the security of records and to training at five of the six ATCBs. 6\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nAppendix B contains the details of our audit scope and methodology.\n\n                                                    FINDINGS\n\nONC\xe2\x80\x99s oversight of the ATCBs did not fully ensure that electronic patient information in EHRs\nwas secure and protected. Specifically, ONC did not ensure that the ATCBs:\n\n      \xe2\x80\xa2    developed procedures to periodically evaluate whether certified EHRs continued to meet\n           Federal standards and\n\n\n6\n    One of the six ATCBs (SureScripts) did not certify any EHRs; therefore, we excluded it from our review.\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                 3\n\x0c      \xe2\x80\xa2   developed a training program to ensure that their personnel were competent to test and\n          certify EHRs and to secure proprietary or sensitive EHR information.\n\nRegulations for the Temporary and Permanent Certification Programs require that ATCBs use\ntesting procedures approved by ONC to evaluate conformance of EHRs to each of ONC\xe2\x80\x99s\nrequirements. 7 ONC worked with NIST to develop these test procedures. 8 The ATCBs\xe2\x80\x99\nstandards and procedures for testing and certifying EHRs met all NIST test procedure\nrequirements; however, those NIST test procedures were not sufficient to ensure that EHRs\nwould adequately secure and protect patient health information; in particular, the procedures\nallowed ATCBs to approve EHRs that demonstrated the use of a single-character password\nduring testing. In addition, the NIST test procedures did not address common security issues,\nsuch as, but not limited to, password complexity and logging emergency access or user privilege\nchanges.\n\nONC\xe2\x80\x99S OVERSIGHT OF AUTHORIZED TESTING AND CERTIFICATION BODIES\nNEEDS IMPROVEMENT\n\nThe HITECH Act requires ONC to develop a nationwide health IT infrastructure that allows for\nthe electronic use and exchange of information and that ensures that each patient\xe2\x80\x99s health\ninformation is secure and protected, in accordance with applicable law.\n\nInsufficient Procedures for Periodic Evaluation of Electronic Health Record Applications\n\nThe ATCB must periodically evaluate the EHRs to confirm that they continue to conform to\nFederal standards (ISO/IEC Guide 65:1996 \xc2\xa7 13.4).\n\nAlthough the ATCBs were required to comply with the Principles of Proper Conduct, which\nrequired compliance with ISO/IEC Guide 65, three of the five ATCBs did not have procedures in\nplace to periodically evaluate EHRs to determine whether they continued to conform to Federal\nstandards. ONC officials informed us that although ISO/IEC Guide 65 required periodic\nevaluations, ONC did not enforce that requirement during the Temporary Program. ONC\nofficials stated that ONC was developing procedures for periodically evaluating EHRs. 9\nWithout periodic evaluations, ONC could not assure providers that a certified EHR continued to\nconform to Federal standards. For example, after its initial certification, an EHR could be\nmodified to conduct fraudulent activities, such as classifying a medical procedure as more\nexpensive than it actually was (\xe2\x80\x9cupcoding\xe2\x80\x9d).\n\n\n\n7\n    45 CFR \xc2\xa7\xc2\xa7 170.423(e) and 170.523(h).\n8\n  These procedures were approved by ONC in 75 Fed. Reg. 47817 (August 9, 2010). ONC approved procedures are\nindependent of Federal Information Security Management Act of 2002 (FISMA) standard Federal Information\nProcessing Standards No. 200 (FIPS-200) and the associated FISMA guidance Special Publication 800-53.\n9\n ONC officials stated that the requirement for following the procedures would be included in the Permanent\nProgram.\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                4\n\x0cInsufficient Training Program Specifically Related to Electronic Health Record Test\nProcedures and Security of Records\n\nThe Principles of Proper Conduct require ATCBs to maintain a training program that is\nconsistent with ISO/IEC standards; those standards include documented procedures and training\nrequirements to ensure that ATCB personnel are competent to test and certify Complete EHRs or\nEHR Modules or both (ISO/IEC 17025:2005 \xc2\xa7 5.2.1).\n\nONC did not require the ATCBs to maintain a training program consistent with ISO/IEC\nstandards. That training program would have ensured that ATCB personnel were competent to\ntest and certify EHRs in IT security topics specifically related to the NIST test procedures the\nATCBs used. While one of the five ATCBs we reviewed trained its EHR testers appropriately,\nthe remaining four did not train their EHR testers in IT security specifically related to NIST\xe2\x80\x99s\nEHR test procedures. Without this training, the ATCBs could not ensure that testers were\nknowledgeable about the security-related requirements they were testing. ONC officials\nexplained that they require ATCBs to pass the American National Standards Institute audit and\nNational Voluntary Laboratory Accreditation Program audit, which require some form of IT\nsecurity training for testers and which all five ATCBs passed. However, ONC could not provide\ndocumentation to support that those audits required EHR testers to be trained in IT security\ntopics specifically related to the NIST test procedures the ATCBs used. Without training\nspecifically related to NIST test procedures, ONC could not ensure that testers were\nknowledgeable about the security-related requirements they were testing.\n\nThe Principles of Proper Conduct required ATCBs to operate a testing and certification program\nconsistent with ISO/IEC standards. ISO/IEC standards state that all records 10 must be secure\n(17025:2005 \xc2\xa7 4.13.1.3).\n\nONC did not require the ATCBs to train personnel in IT security to ensure that all records were\nsecure in accordance with ISO/IEC standards. The records used during testing could have\ncontained proprietary or sensitive information related to EHR testing and certification.\nSpecifically, one of the five ATCBs used the wired equivalent privacy (WEP) protocol to\nencrypt its wireless network during meetings in rented office space. The WEP suffers from\nweaknesses that enable attackers to easily decipher data moving over the wireless network and is\nnot an acceptable encryption method. 11 The ATCB was unaware that the wireless network used\nWEP for encryption because it rented the office space only when it needed to hold meetings and\nexchange test data stored at remote sites using the wireless network. We are concerned that an\nATCB that uses WEP to secure its wireless network may not have sufficient IT security\nknowledge to certify EHRs and to protect sensitive or proprietary data.\n\n\n\n\n10\n     Records may be in any medium, such as hard copy or an electronic format (ISO/IEC 17025:2005 \xc2\xa7 4.13.1.2).\n11\n     NIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i.\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                   5\n\x0cAUTHORIZED TESTING AND CERTIFICATION BODY STANDARDS MET\nREQUIREMENTS BUT NATIONAL INSTITUTE OF STANDARDS AND\nTECHNOLOGY TEST PROCEDURES NEEDED STRENGTHENING\n\nStandards and Procedures of Authorized Testing and Certification Bodies Met\nRequirements\n\nThe ATCBs\xe2\x80\x99 standards and procedures for testing and certifying EHRs met all the requirements\nof the NIST test procedures adopted by ONC.\n\nTest Procedures Need Strengthening\n\nThe PHSA \xc2\xa7 3004 (added by the HITECH Act) requires ONC to define the standards,\nimplementation guides, and certification criteria for evaluating how EHRs conform to criteria for\nprotecting electronic health information through implementing appropriate technical capabilities.\nONC\xe2\x80\x99s standards, found at 45 CFR \xc2\xa7 170.302, include several relating to security. 12 Regulations\nfor the Temporary and Permanent Certification Programs require that ATCBs use testing\nprocedures approved by ONC to evaluate conformance of EHRs to each of ONC\xe2\x80\x99s\nrequirements. 13 ONC worked with NIST to develop these test procedures. 14\n\nONC\xe2\x80\x99s approved NIST test procedures did not ensure that certified EHRs would secure patient\ninformation. For example, the test procedures allowed ATCBs to approve EHRs that\ndemonstrated the use of a single-character password during testing. In addition, the NIST test\nprocedures did not address common security issues, such as, but not limited to, password\ncomplexity and logging emergency access or user privileges changes. Without test procedures to\naddress such common issues, ATCBs could continue to certify EHRs with vulnerabilities that\ncould pose a significant risk to protection of EHR-related information.\n\nCONCLUSION\n\nThe process of certifying EHRs is designed, in part, to give providers the confidence to know\nthat patient health information is secure and protected. Our audit revealed vulnerabilities with\nthe Temporary EHR certification program. These vulnerabilities could allow hackers to\npenetrate EHR systems, thereby compromising the integrity, confidentiality, and availability of\npatient information stored in and transmitted by a certified EHR. 15\n\n\n\n\n12\n     45 CFR \xc2\xa7\xc2\xa7 170.302(o)\xe2\x80\x93(u)).\n13\n     45 CFR \xc2\xa7\xc2\xa7 170.423(e) and 170.523(h).\n14\n     These procedures were approved by ONC in 75 Fed. Reg. 47817 (August 9, 2010).\n15\n  The use of a certified EHR for meaningful use attestation applies to all stages of meaningful use; therefore, all\nvulnerabilities related to certified EHRs also apply to all stages of meaningful use.\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                         6\n\x0c                                        RECOMMENDATIONS\n\nTo ensure that each patient\xe2\x80\x99s health information in EHRs is secure and protected, we recommend\nthat ONC require the ATCBs to:\n\n    \xe2\x80\xa2   develop procedures to periodically evaluate whether certified EHRs continue to meet\n        Federal standards and\n\n    \xe2\x80\xa2   develop a training program to ensure that their personnel are competent to test and certify\n        EHRs and to secure proprietary or sensitive EHR information.\n\nWe also recommend that ONC work with NIST to strengthen EHR test procedure requirements\nso that the ATCBs can ensure that EHR vendors incorporate common security and privacy\nfeatures into the development of EHRs.\n\n                                           ONC COMMENTS\n\nIn written comments on our draft report, ONC stated that ATCBs are no longer active in the\nONC Certification Program and that testing and certification functions are now performed by\nseparate entities in the ONC Health IT Certification Program: Authorized Certification Bodies\n(ACBs) and Accredited Testing Laboratories. ONC also stated that although ONC ATCBs were\nnot required to conduct surveillance activities during the Temporary Certification Program,\nACBs are required to conduct surveillance, and ONC issued guidance on the subject in July\n2013. In addition, ACBs must be accredited by the ONC-Approved Accreditor, which is the\nAmerican National Standards Institute, as a condition of applying to become an ACB. ONC also\nstated that the 2014 Edition EHR Certification Criteria \xe2\x80\x9cstrengthened test procedures for\ncommon security and privacy features for inclusion in EHRs.\xe2\x80\x9d\n\nRegarding our recommendation that ONC work with NIST to strengthen EHR test procedure\nrequirements to ensure that EHR vendors incorporate into EHRs common security and privacy\nfeatures, ONC stated that \xe2\x80\x9cthe adopted criteria strive to set certain common baselines yet, at the\nsame time, aim to allow EHR technology developers the flexibility to include and demonstrate\ninnovative techniques to protect health information.\xe2\x80\x9d ONC added that \xe2\x80\x9cit is the ONC\xe2\x80\x99s intention\nto work with health care providers to encourage and educate them on the use of multi-factor\nauthentication in instances where its use can provide added protections to patient data.\xe2\x80\x9d ONC\xe2\x80\x99s\ncomments are included in their entirety as Appendix C.\n\n                        OFFICE OF INSPECTOR GENERAL RESPONSE\n\nWe do not agree that the 2014 Edition EHR Certification Criteria sufficiently address our\nsecurity concerns regarding the Temporary Certification Program. For example, the 2014\ncriteria do not address common security issues that we identified in our review of the Temporary\nCertification Program, such as password length and complexity or logging emergency access or\nuser privilege changes.\n\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)     7\n\x0cWe agree with ONC\xe2\x80\x99s statement that \xe2\x80\x9cthe adopted criteria strive to set certain common\nbaselines.\xe2\x80\x9d However, ONC\xe2\x80\x99s baseline does not address certain specific security concerns and\nindustry best practices. For example, multifactor authentication has been recommended by NIST\nsince the publication of NIST SP 800-53 in February 2005. However, ONC still did not require\nmultifactor authentication in the 2014 criteria. Therefore, we continue to recommend that ONC\nstrengthen EHR Test Procedure requirements to address such issues to ensure providers have\nEHR systems that have adequate security and privacy features.\n\n                                           OTHER MATTERS\n\nNeither the Temporary Certification Program nor the Permanent Certification Program directly\naddresses ONC\xe2\x80\x99s authority to remove a certified EHR from the Product List absent evidence of\nimproper conduct by the ATCB. 16 Therefore, if an EHR is exploited and used to conduct\nmalicious activities, ONC is not able to remove the EHR, even temporarily, from the Product\nList to prevent further purchases of it. In order to assure the public that certified EHRs on the\nProduct List meet current security and privacy requirements, ONC would need to have the ability\nto decertify and remove obsolete, unsupported, or less secure EHRs on the basis of its own\nassessment of them or to otherwise have procedures to notify the public.\n\nIn addition, none of the five ATCBs we reviewed verified whether the EHRs that they certified\nwere marketed for the specific operating systems for which they were tested. For example, even\nthough an EHR was tested using Microsoft Windows, it could have been marketed as having\nbeen tested and certified under another operating system platform (e.g., iOS, Android, or Linux).\nWithout standards requiring testing for specific operating systems, EHRs could have been used\nfor operating systems that had an entirely different set of vulnerabilities, increasing the risks to\nthe security and privacy of protected health information.\n\n\n\n\n16\n     See 45 CFR \xc2\xa7\xc2\xa7 170.470 and 170.570.\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)      8\n\x0c       APPENDIX A: FEDERAL AND INTERNATIONAL REQUIREMENTS ON THE\n        TESTING AND CERTIFICATION OF ELECTRONIC HEALTH RECORDS\n\nFEDERAL REQUIREMENTS FOR ONC\n\nSection 3001(C) of the Recovery Act states that ONC must review Federal health IT investments\nto ensure that (1) Federal health IT programs are incorporating privacy and security protections\nfor the electronic exchange of an individual\xe2\x80\x99s personally identifiable health information and that\n(2) security methods ensure appropriate authorization and electronic authentication of health\ninformation and include technologies or methodologies for rendering health information\nunusable, unreadable, or indecipherable.\n\nSection 3001(b) of the Recovery Act states: \xe2\x80\x9cThe National Coordinator shall perform the duties\nunder subsection (c) in a manner consistent with the development of a nationwide health\ninformation technology infrastructure that allows for the electronic use and exchange of\ninformation and that\xe2\x80\x94(1) ensures that each patient\xe2\x80\x99s health information is secure and protected,\nin accordance with applicable law.\xe2\x80\x9d\n\nSection 3004(b)(1) of the PHSA requires \xe2\x80\x9cthe Secretary of Health and Human Services to adopt\nan initial set of standards, implementation specifications, and certification criteria \xe2\x80\xa6 to enhance\nthe interoperability, functionality, utility, and security of health information technology.\xe2\x80\x9d\n\nNIST SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i,\nstates that the WEP suffers from cryptographic weaknesses that enable attackers with readily\navailable software tools to decipher data.\n\nINTERNATIONAL REQUIREMENTS FOR THE AUTHORIZED TESTING AND\nCALIBRATION LABORATORIES 17\n\nISO/IEC 17025:2005 \xc2\xa7 4.1.5, states that the testing laboratory must have policies and procedures\nto ensure the protection of its customers\xe2\x80\x99 confidential information and proprietary rights,\nincluding procedures for protecting the electronic storage and transmission of results.\n\nISO/IEC 17025:2005 \xc2\xa7 4.13.1.3, states that all records 18 must be held secure and in confidence.\nSection 4.13.1.4 states that the laboratory must have procedures to protect and back up records\nstored electronically and to prevent unauthorized access to or amendment of these records.\n\nISO/IEC 17025:2005 \xc2\xa7 5.2.1, states that personnel performing specific tasks must be qualified on\nthe basis of appropriate education, training, experience, or demonstrated skills, as required. The\npersonnel responsible for the opinions and interpretation included in test reports should have, in\naddition to having the appropriate qualifications, training, experience, and knowledge of the\n\n17\n  According to ONC\xe2\x80\x99s Principles of Proper Conduct, the ATCBs must comply with these international\nrequirements.\n18\n     ISO/IEC 17025:2005 \xc2\xa7 4.13.1.2 states that records may be in any medium, such as hard copy or electronic format.\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)                      9\n\x0ctesting carried out, knowledge of the general requirements and an understanding of the\nsignificance of deviations from the normal use of the items, materials, or products concerned.\n\nISO/IEC Guide 65:1996 \xc2\xa7 13.4, states that the certification body must periodically evaluate\nEHRs to confirm that they continue to conform to the standards.\n\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)    10\n\x0c                    APPENDIX B: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe focused our audit on ONC\xe2\x80\x99s procedures for monitoring the ATCBs and assessed the ATCBs\xe2\x80\x99\neffectiveness in testing and certifying EHRs. We limited our review to controls that were in\neffect at the time of our onsite visit to ONC and the ATCB offices. We did not review any of the\n187 EHRs certified under the Permanent Program.\n\nWe conducted our fieldwork from January 24 through June 28, 2012, at ONC in Washington,\nDC, and at five ATCB offices: The Certification Commission for Health Information\nTechnology (Chicago, Illinois), Drummond Group (Nashville, Tennessee), SLIGlobal (Denver,\nColorado), ICSA Labs (Mechanicsburg, Pennsylvania), and InfoGard (San Luis Obispo,\nCalifornia).\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n    \xe2\x80\xa2   reviewed applicable Federal requirements, NIST SPs, the Principles of Proper Conduct,\n        ISO/IEC Guides 17025:2005 and 65:1996, and industry best practices;\n\n    \xe2\x80\xa2   reviewed ATCBs\xe2\x80\x99 procedures related to violations/complaints, training, and the security\n        of records in accordance with ISO/IEC Guides 17025:2005 and 65:1996;\n\n    \xe2\x80\xa2   interviewed ONC officials responsible for monitoring ATCBs to help determine whether\n        the ATCBs complied with the Principles of Proper Conduct;\n\n    \xe2\x80\xa2   reviewed ONC documentation for monitoring ATCBs to determine whether the ATCBs\n        complied with the Principles of Proper Conduct;\n\n    \xe2\x80\xa2   interviewed ATCB testers and other individuals about their procedures for testing and\n        certifying EHRs;\n\n    \xe2\x80\xa2   judgmentally selected 30 EHRs and reviewed supporting documentation for each; and\n\n    \xe2\x80\xa2   discussed our findings with ONC.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   11\n\x0c                                 APPENDIX C: ONC COMMENTS\n\n\n\n\nONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   12\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   13\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   14\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   15\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   16\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   17\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   18\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   19\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   20\n\x0cONC\xe2\x80\x99s Oversight of the Testing and Certification of Electronic Health Records (A-06-11-00063)   21\n\x0c'